Issue with Clearing the last user from SecondaryOwners

March 19, 2013, 8:10 pm

≪ Previous: The specified string is not in the form required for an e-mail address

I was going to use managedBy and Secondary owners to allow some delegated Exchange management. If you add users to secondary owners it grants native read/write membership to manage through Outlook for mail enabled groups and a side benefit is it delegates the users read/write membership in ARS. The issue is, for the last user listed, If you clear the attribute without first unchecking "Secondary owners can update membership list" and Clicking Apply, then Clearing the Secondary Owners; The native security permission stays.

I was thinking about using a policy script to work around this issue by determining if they are clearing edsvaSecondaryOwners and If so on Pre-Modify clearing edsvaSecondaryOwnersCanUpdateMembershipList first.

Has anyone noticed this issue in 6.7 or 6.8 and worked around it?

↧

ARS 6.8 > Whats New?

December 13, 2012, 3:00 am

≫ Next: how to remove user from group B when adding in group A

≪ Previous: Issue with Clearing the last user from SecondaryOwners

Guys.

Is there ant documentation on whats new in 6.8? I am running 6.7 and would like to make a case to upgrade to 6.8

Cheers

Craig

↧

how to remove user from group B when adding in group A

January 14, 2013, 9:37 am

≫ Next: Whoami with powershell, $Request.whoami

≪ Previous: ARS 6.8 > Whats New?

Hello

i want to use ARS policies and a script to manage few groups with the "simple" rule :

No user can be in the Group A and B, so if i add the user in the group A , the user is removed from group B, and vice et versa.

I will put a policy on the groups to run a powershell script.

i'm just confuse on the object $Request:

when adding a user in a group monitored by a policy $Request will return info on the user, on the group or both?

the script will store the dn of the 2 groups.

but using will return the DN group? if yes how to get the User infos?

$sDNGroup = $Request.GET('distinguishedName')

thanks.

↧

Whoami with powershell, $Request.whoami

March 19, 2013, 4:05 am

≫ Next: Workflow Filter OU

≪ Previous: how to remove user from group B when adding in group A

Hello,

I want to findout who is starting the script. I want to move a group and findout who has start the moving.

My SamAccountName is t2rehst and the SamAccountName from Quest is Questadm.

My problem is, everytimeI use whoami, it allways show me DOMAIN/Questadm. My account t2rehst will never displayed.

If I use $Request.whoami, so I get the following information

" System.Void WhoAmI(System.String&, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 accountName, System.String&, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 dn="I use t

Can I use the PublicKeyToken?

I try for example

function onPreMove($Request)

{

$SID_QUESTADM = "SID S-1-5-21-2076390139-743132798-1575050150-90725"

#snapin for Quest

Add-PSSnapin Quest.ActiveRoles.ADManagement

if ($Request.Class -eq "group")

{

$user = whoami

$EventLog.ReportEvent(2,"user : $($user)")

$name = $Request.name

if ($name -match "G-AUDI-AG-DISTMng")

{

# only move if account is questadm (SID S-1-5-21-2076390139-743132798-1575050150-90725)

$user1 = whoami

$EventLog.ReportEvent(2,"user : $($user1)")

$user1 = Get-QADUser $user -IncludeAllProperties

$user1 = $user.SID

$EventLog.ReportEvent(2,"userSiD : $($user)")

if($user -ne $SID_QUESTADM)

{

$msg = "Group $($name) can't moved."

throw $msg

}

the Scipt shows me allways DOMAIN/Questadm though I hast start the script. I hope you can catch my problem.

woody

↧

Workflow Filter OU

March 13, 2013, 8:35 am

≫ Next: The specified string is not in the form required for an e-mail address

≪ Previous: Whoami with powershell, $Request.whoami

I'm attempting to create a computer account cleanup Workflow. Everything is working fine, except attempting to filter out OU's for searching. For example we have some NAS devices that require an AD account, but do not reset their password. I'm querying Passwords that have not changed in 120 days. Without filtering out the OU they get moved and disabled by the workflow. How can I exclude an OU from the search? I tried DN does not contain NAS, but then nothing seemed to happen.

↧

The specified string is not in the form required for an e-mail address

March 8, 2013, 1:55 am

≫ Next: Forced to create Exchange mailbox on new account creation

≪ Previous: Workflow Filter OU

Hi,

We have created a workflow, that would trigger an approval when a user is added to a specified group.

But when the approver is clicking the approve button, he/she gets this error:

We have several other workflows doing the exact same thing but for other groups/other approvers, that doesn't give us this error.

Can anyone give me a hint to where to look to solve this issue?

//Christoffer

↧

Forced to create Exchange mailbox on new account creation

October 9, 2012, 11:49 am

≫ Next: get Permission set in ARS template

≪ Previous: The specified string is not in the form required for an e-mail address

This should be an easy one, but I didn't build this system and I can't find out where this setting should be.

Our Helpdesk uses the ActiveRoles web interface. When creating a new user, the option to "Create an Exchange mailbox" is checked and greyed out. The Helpdesk would like the option to un-check this box and create a new user without a mailbox being created. I can't figure out where this is set - Would it be in a policy ojbect, or a customization setting in the web interface? What would be the easiest way to figure this out?

Thank in advance.

↧

get Permission set in ARS template

March 22, 2013, 4:02 am

≫ Next: ARS 6.7 Upgrade to 6.8 License Key Not Working

≪ Previous: Forced to create Exchange mailbox on new account creation

I use the Get-QARSAccessTemplate to extract the DN then the get-QARSPermission to list the permissions set in the template

The next step will then be to find out which trustee use the template

My PS knowledge is not good enough to get the right information.

Can you provide me a sample to have a list of permissions set in a Template

Thanks

↧

ARS 6.7 Upgrade to 6.8 License Key Not Working

December 3, 2012, 5:34 pm

≫ Next: Script to Disable Accounts

≪ Previous: get Permission set in ARS template

Hello,

Is it required that a new license key be issued when upgrading to ARS 6.8 from version 6.7? During the upgrade of the Administration Service, the installation wizard does not appear to want to acept the license key that was used for the 6.7 installation, even though it is licensed for version 6.x (when looking inside the ASC file). Thank you.

↧

Script to Disable Accounts

July 27, 2012, 9:58 am

≫ Next: Workflow Filter OU

≪ Previous: ARS 6.7 Upgrade to 6.8 License Key Not Working

I have a spreadsheet of about 6k usernames that I need to disable. Basically if the username is in the list, that account needs to be diabled in ARS. Is there a script that can achive this?

↧

Workflow Filter OU

March 13, 2013, 8:35 am

≫ Next: OnInit Event - What causes this event to fire ?

≪ Previous: Script to Disable Accounts

↧

OnInit Event - What causes this event to fire ?

February 18, 2013, 9:19 am

≫ Next: Problems setting folder rights at user creation

≪ Previous: Workflow Filter OU

I'm currently doing some work with Exchange 2010 snapins and as per the advice on this website I've included code in the OnInit event handler. The code only loads the snapins if they are not already loaded however.

Along the lines of

function OnInit($context)

{

if(!(Get-PSSnapin |

Where-Object {$_.name -eq "Microsoft.Exchange.Management.PowerShell.E2010"})) {

ADD-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010

}

else

{

#do something to let me know exchange stuff is loaded in session

}

When I restart the ARS Service the OnInit even fires and the PSSnapin loads - however, when I then programatically create a user in Powershell using new-qaduser commandlet proxied through the ARS server, the OnInit event doesn't fire and the exchange snapins are not available - therefore the code doesn't seem to run, I can only run the above code if I include it directly in the onPostCreate or onPostModify - oddly this method does seem to work, i.e. the snapins stay loaded in the session. My concern is that its not quite in keeping with the advice I've seen on the site.

Which brings me to my question - is there somewhere I can find more information on the OnInit event when and how it fires and why I'm seeing the above behaviour ? I've tried the SDK but it doesn't seem to contain much information.

↧

Problems setting folder rights at user creation

August 20, 2009, 9:09 am

≫ Next: How to query AD for a list of users who are Active ONLY

≪ Previous: OnInit Event - What causes this event to fire ?

Hi, sorry for all the threads lately, I'm trying to wrap up the last bits of the setup of a client here. And I'm really scratching my head here on a script execution which sets folder permissions of the users home folder.

The thing is, I can't use the build in home folder generation because we have a huge SAN where the users home folder's physical location is based on the users location.
This is to reduce network traffic and have the home folder be on the server which is geographical closest to the user.

So, I've got this script which, based on the value selected from ExtensionAttribute1, determines which server the home folder is created on.

The thing is, everything works fine at "onPreModify" and at "onPostModify"
But trying to get it to work with "onPreCreate" or "OnPostCreate" is a real pain!

And only a portion of the script doesn't seem to work. First, the script creates the home folder based on location. And this does work as intended. But setting the folder rights, this is where the problems are.

At first, I used xcacls.exe to set the permissions. And this worked as intended during said event handlers. But trying to get it to work during "onPostCreate" or "onPreCreate" was a strange affair. Sometimes (without modifying the script at all) some permissions were set. Other times, none were set. And sometimes, the permissions was set correctly. Very strange indeed.

So I thought it could have to do with xcacls.exe, so I tried using SetACL.exe instead. The same thing happens here as well. Everything works with said Event handlers. But during user creation, no sir.

Here's the code, I could really use some help here because this is driving me insane!

[code]
Sub onPreCreate(Request)

If (LCase(Request.Class) <> "user") Then Exit Sub
Dim Lokasjon, username, strHomeServer

Set WshShell =CreateObject("WScript.Shell")

'username = CStr(Request.Get("samAccountName"))
'username = DirObj.Get("samAccountName")
username = CStr(Request.Get("samAccountName"))
Lokasjon = CStr(Request.Get("extensionAttribute1"))

Set objNetwork = CreateObject("WScript.Network")
Set oFS = CreateObject("Scripting.FileSystemObject")

' Sjekk hvilken lokasjon som er valgt
If Lokasjon = "City1" Then
Filserver = "\\fileserver\ikt\"
End If
If Lokasjon = "City2" Then
Filserver = "\\fileserver2\ikt\"
End If

oFS.CreateFolder(Filserver & username)

Dim strRemoveRights, strRunUsersRights

strRunUsersRights = "%COMSPEC% /c C:\CustomScripts\SetACL.vbs "&Filserver&Username &" " & "domaingrp\"&Username

WshShell.Run (strRunUsersRights) ' Adds users's rights
'WshShell.Run (strRunAdminRights) ' Adds Admins's rights

' Lager DFS

Dim strDFS

strDFS = "%comspec% /C dfscmd.exe /map \\domain.no\Users\" & Username & " " & Fileserver & Username
WshShell.Run (strDFS)

End Sub

'***************************************************************************
' FUNKSJONER LEGGES HER, IKKE RØR '***************************************************************************

Function IsAttributeModified (ByVal strAttributeName, ByRef Request)
Dim objEntry, nControlCode, boolResult

IsAttributeModified = False

Set objEntry = Request.GetPropertyItem(strAttributeName, ADSTYPE_CASE_IGNORE_STRING)

If (objEntry Is Nothing) Then Exit Function
If (objEntry.ControlCode = 0) Then Exit Function

IsAttributeModified = True
End Function '-- IsAttributeModified

Function IsGroupPresent (ByVal arrGroups, ByVal strGroup)
IsGroupPresent = False
For Each strMemberOf In arrGroups
' Eventlog.ReportEvent 0," verdi av strMemberOf = " & strMemberOf
If strMemberOf = strGroup Then
IsGroupPresent = True
End If
' Eventlog.ReportEvent 0,"IsGroupPresent = " & IsGroupPresent
Next
End Function

Function IsObjectClassRequested(ByVal strClassName, ByRef Request)
IsObjectClassRequested = (LCase(Request.Class) = LCase(strClassName))
End Function[/code]

↧

How to query AD for a list of users who are Active ONLY

January 4, 2012, 9:18 am

≫ Next: Multiple Admin Servers

≪ Previous: Problems setting folder rights at user creation

Hi, i would like to query AD using powershell to get a list of all our users that are active, etc. However when i run the query, i receive all users that are both disabled and active. What is the query to show me only ACTIVE?

This is what i have so far...

Add-PSSnapin Quest.ActiveRoles.ADManagement

Get-QADUser -objectAttributes @{employeeID='*'} | select-Object firstname, lastname, employeeID, email, sAMAccountName, AccountisDisabled="false" | Export-Csv "C:\SUS-HR-DATA\Email_Address_Export\Email_Address_Export.csv" -NoTypeInformation

I have tried to substitute "AccountisDisabled" with multiple suggestions from online (edsaAccountIsDisabled, etc), but no luck.

Thanks,

Artie

↧

Multiple Admin Servers

March 25, 2013, 8:15 am

≫ Next: Run dos command via Powershell (onPostCreate)

≪ Previous: How to query AD for a list of users who are Active ONLY

Guys.

I have an ARS Admin server and a WI and i have introduced another ARS Admin server. The second ARS Admin server i am using for processing Powershell scripts and backend tasks.

Right now both ARS Admin servers seem to load balance when using the MMC console and i guess when using the WI. How can i stop this from happening and only having the MMC and WI use one server?

Thanks in advance

↧

Run dos command via Powershell (onPostCreate)

March 9, 2011, 8:06 am

≫ Next: Issue with restricting delegated Exchange Mailbox Rights

≪ Previous: Multiple Admin Servers

Hi

I am trying to run the dos command "icacls" to run after a new user creation. As part of the new user creation process we copy a "Vista" directory to the users home drive - e:\vista. I am then trying to run ICACLS.EXE to set the "ownership permission on this folder and propogate below.

I am using the following Poweshell script without success.

function onPostCreate($Request)
{

$DirObj.GetInfo
$samAccountName = $DirObj.Get("samAccountName")

Invoke-Expression "cmd.exe /c icacls.exe \\server1\$samAccountName$\vista /setowner bgs.com\$samAccountName /t /c"

}

I did have it working without the variable however I now cannot get it working. Any assistance or alternative method would be much appreciated.

Thanks

Nick

↧

Issue with restricting delegated Exchange Mailbox Rights

March 19, 2013, 7:47 pm

≫ Next: OK / Cancel / Apply Event

≪ Previous: Run dos command via Powershell (onPostCreate)

Issue with Restricting Exchange Mailbox Rights:

I am trying to delegate basic exchange management outside the Exchange team and I need to restrict the delegated administrators ability to only select “Read permissions” and “Full mailbox access” when granting or removing rights to a users mailbox. I was looking to restrict it with a policy script by reading the in-process attributes on pre-modify of the msExchMailboxSecurityDescriptor. The issue I am having is capturing the in-process attribute and trying to determine what the Delegated Administrator is doing. I have tried to determine the ACEMask however I have not been successful in seeing that the in-process item is a Security Descriptor.

Policy Script Below:

'---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Option explicit

Const strLogFile1="C:\Exchange_Debug.log" 'Path for logging when turned on.

Const bolLogEnabled1 = True 'Used to turn on and off logging.

Const strMessage = "Only Read and Full Mailbox Access may be Granted to a mailbox"

Sub Log1(msg)

On Error Resume Next

If bolLogEnabled1 Then

Dim fso1, File1

Set fso1 = CreateObject("Scripting.FileSystemObject")

Set File1 = fso1.OpenTextFile(strLogFile1, 8, True)

File1.WriteLine (CStr(Now()) + vbTab + msg)

File1.Close

End If

End Sub

Sub onPreModify(Request)

Log1("--------------------------")

Log1("Exchange Security Descriptor Restriction - onPreModify Begin")

Log1("--------------------------")

'On Error Resume Next

Dim i, item, strUID, value

If Request.Class = "user" Then

strUID = Request.get("sAMAccountName")

Log1("Account: " & strUID)

Log1("ProperyCount: " & Request.PropertyCount)

Dim str

Dim oSecurityDescriptor

Dim dacl

Dim ace

'Retrieve properties from in-process data

For i=0 To Request.PropertyCount-1

Set item = Request.Item(i)

str = str + item.Name + ": "

str=str+ vbCrLf

Log1("Item Name: " + item.Name)

For Each value In item.Values

Select Case value.ADsType

Case ADSTYPE_DN_STRING

str = str + value.DNString + ", "

Case ADSTYPE_CASE_EXACT_STRING

str = str + value.CaseExactString + ", "

Case ADSTYPE_CASE_IGNORE_STRING

str = str + value.CaseIgnoreString + ", "

Case ADSTYPE_PRINTABLE_STRING

str = str + value.PrintableString + ", "

Case ADSTYPE_NUMERIC_STRING

str = str + value.NumericString + ", "

Case ADSTYPE_BOOLEAN

str = str + CStr (value.Boolean) + ", "

Case ADSTYPE_INTEGER

str = str + CStr (value.Integer) + ", "

Case ADSTYPE_NT_SECURITY_DESCRIPTOR

str = str + CStr ("SECURITY_DESCRIPTOR") + ", "

' Set oSecurityDescriptor = item.ntSecurityDescriptor=20

' Set dacl = oSecurityDescriptor.DiscretionaryAcl

' For Each ace In dacl

' Log1("Trustee: " & ace.Trustee)

' Log1("Mask: " & ace.AccessMask)

' Next

End Select

Log1(str)

End If

End Sub

' -------------------------------------------------------------------------------------------------------------------------------------------------

↧

OK / Cancel / Apply Event

March 26, 2013, 7:51 am

≫ Next: Compliance Reporting and Umlauts

≪ Previous: Issue with restricting delegated Exchange Mailbox Rights

Hi Folks,

i want to create a policy script, which renames a object, when a defined attribute was modified.

So far so good and no problem. But when i click on apply the policy renames the object and the MMC shows an error "Failed to retrieve attributes of the object".

Is it possible to check, if the apply or the ok button is pressed?

Regards,

BEN

↧

Compliance Reporting and Umlauts

November 24, 2011, 2:30 am

≫ Next: Script Condition Functions in ARS 6.8 SDK

≪ Previous: OK / Cancel / Apply Event

Hi seems I can't post a blog so a discussion will have to do ....

I'm writing some compliance reports and scheduling them with ARS - the reports are basically group memberships and the are text files with .csv extentions. The problem I had was that the umlauts were being mangled by Excel when the auditors open the files.

The fix......

It appears that streamwriter defaults to UTF8 which preserves the umlauts (opening in notepad correctly identified the file as UTF8) but it appears the BOM was not being written to the file so Excel was not correctly formatting the file.

To fix this I had to explicity force the streamwriter to write the BOM.

Create a system.text.UTF8Encoding object

$utf8 = New-Object System.Text.UTF8Encoding($true)

Using $false would stop the BOM being written – you might want that option but it seems streamwritter does that by default anyway

Then when you open the file use the object as follows to force the BOM being written to the file

$reportFile = new-object system.IO.StreamWriter($filename,$true,$utf8)

you write to the file using $reportfile.writeline("Text you want added - or the ad object.attribute for example")

Why do I use the streamwriter instead of export-csv ?

1. its quicker (http://blogs.technet.com/b/gbordier/archive/2009/05/05/powershell-and-writing-files-how-fast-can-you-write-to-a-file.aspx)

2. export-csv does not format the file correctly as there are commas in the user names

3. export-csv has the same problem writing to the file and if you use the -encoding switch then you get a single line in quotes so no good for an excel spreadsheet

4. were getting away from teh point of the post which is just to tell you how to do it using streamwriter - if thats what you wanted to do

Lee Andrews

↧

Script Condition Functions in ARS 6.8 SDK

January 17, 2013, 12:52 pm

≫ Next: Get-QADComputer and serialNumber

≪ Previous: Compliance Reporting and Umlauts

Hello,

I have been trying to get some script conditions written for an automated workflow and am having some issues. I have seen the example in the SDK that demonstrates how to insert a script condition into an If-Else branch, but it either doesn't work or it's not being implemented properly. What is the proper way to pass objects that have been found in a Search box to an If-Else branch?

I can see that the script is immediately exiting on the first condition which is to check if the $DirObj.Class is a user or not. The script is not seeing that the objects are users. When I output the $DirObj.Class to the event log it is indicating that it is "edsAutomationWorkflowDefinition".

What I am ultimately looking to accomplish is to search AD for users passwords that haven't been set in the past 105 days. This is very easy to do with the built-in Search function. However, I want to be able to filter out some users if they are in certain OU's, so I have created a PowerShell script that is to analyze the DN of the in-process user and return $True or $False if the DN meets certain conditions.

So, I have a feeling that if I can properly pass the found user object to the If-Else branch, this will work. Thank you for any guidance. I have included a screen shot of my envisioned workflow.

↧